Nowadays the need for distributed data storage, particularly in connection with the access of enterprise data, is becoming widely accepted. Distributed data storage can be flexibly architected enabling global access to data, data redundancy, geographically distributed data storage, and remote backup. One implementation that greatly facilitated the broad use of distributed data storage systems is a storage area network (SAN). A SAN is often used to centralize the management and maintenance of storage resources within organizations of various sizes or by third-party storage service providers (SSPs).
Network devices such as conventional network server systems and dedicated storage appliances, are used as the architectural building blocks of distributed data storage systems. Many of these devices implement support for the internet small computer system interface (iSCSI) protocol to obtain reliable data storage transport over a conventional TCP/IP network. The iSCSI protocol is described in the IETF Internet Draft iSCSI standard and is incorporated herein by reference. The iSCSI protocol itself encapsulates an I/O storage command and data structure that conforms to the small computer system interface (SCSI) architecture model (SAM2). While the SAM2 defines a local, direct attach client-server data transport protocol, the iSCSI protocol encapsulation of SAM2 adds global network naming support for initiator-target communication between network connected data source (i.e., initiator) and terminal storage (i.e., target) devices. Specifically, the iSCSI protocol allows network devices that are not connected by the same SCSI bus to communicate with each other over the Internet.
However, there are a number of practical and architectural problems inherent to the conventional distributed data storage systems. Data security and control over the security management functions are typically recognized as the most significant problems requiring resolution. The data security problems involve issues such as transport security, access security, and storage security.
Transport security is concerned with ensuring that data is delivered between an initiator client and a target storage device without external monitoring. The iSCSI protocol anticipates the complementary use of conventional transport security protocols, such as IP security (IPsec) protocol or other proprietary protocols, to provide secure encryption for data while being transported over the network. However, these protocols do not provide storage security. Conventionally, data delivered to a destination site for storage is protected at the destination site only by the security practices of that destination site. Typically, destination security is implemented by physical site security and locally administered encryption of the data. Such security means are neither guaranteed nor nominally within the control of the source data owner.
In the related art, there are a few solutions attempt to secure data store at the SSP sites. However, these solutions do not secure the data over the SAN. For example, U.S. patent application Ser. No. 10/016,879 entitled “Network Media Access Architecture and Methods for Secure Storage” (hereinafter the “879 application”) discloses a network controller for managing secure data storage in SSP sites. The provided controller encrypts data transmitted from a client to a storage device located at the SSP site. The data is encrypted according to a predefined encryption key that is associated with the target storage device. That is, the network controller does not associate the encryption key with the initiator, and thus the initiator is not aware which encryption key was used to encrypt the transmitted data. Furthermore, the network controller disclosed in the '879 application does not provide any means to encrypt data transmitted from the initiator. Therefore, data sent from an initiator to a target storage device is not secure while traveling the path between the initiator and the network controller.
It would be therefore advantageous to provide improved techniques to secure data transmitted over a storage network.